AWS Certified DevOps Engineer - Professional · Difficulty

Medium DOP-C02 practice questions

Applied — put a concept to work in a realistic situation. 147 medium questions available — no sign-up, always free.

Question 1 of 25

A company uses AWS Certificate Manager (ACM) to issue public TLS certificates for several externally imported certificates that ACM cannot auto-renew (they were imported from a third-party CA). The security team was recently caught off guard when one imported certificate expired, causing a production outage. They need an automated, low-maintenance solution that proactively alerts the operations team at least 30 days before ANY imported certificate expires, across all accounts in the organization. Which approach BEST meets this requirement?

Reviewed for accuracy · Report an issue
Question 2 of 25

A company runs a stateless web application on EC2 instances behind an Application Load Balancer (ALB) spread across three Availability Zones. An Auto Scaling group maintains 3 instances per AZ. During a recent single-AZ impairment, monitoring showed that clients connected through the affected AZ received elevated latency and some 5xx errors even though healthy instances existed in the other two AZs. The DevOps team wants to ensure that a single-AZ failure does not degrade the user experience, with minimal ongoing management. Which action BEST addresses this requirement?

Reviewed for accuracy · Report an issue
Question 3 of 25

A media streaming company runs a stateful session service on an EC2 Auto Scaling group behind a Network Load Balancer. During scale-in events, users report abruptly dropped streams because instances terminate while active sessions are still in progress. Each session can last up to 8 minutes and the application can persist session state to DynamoDB if given time. The DevOps team must ensure that instances chosen for termination complete in-flight sessions before shutting down, without changing the streaming protocol. What is the MOST appropriate way to achieve this?

Reviewed for accuracy · Report an issue
Question 4 of 25

A media company runs a stateless web tier on an EC2 Auto Scaling group behind an ALB. During flash-sale events, traffic ramps sharply then drops in irregular waves. The team currently uses simple scaling policies with CloudWatch alarms on average CPU, plus a 300-second cooldown period. They observe that the group repeatedly scales out and scales in within short intervals (flapping), causing instances to churn and users to hit brief connection errors while capacity settles. The team wants scaling to respond quickly to sustained demand while avoiding rapid oscillation, with minimal manual tuning of thresholds. Which change best meets these requirements?

Reviewed for accuracy · Report an issue
Question 5 of 25

A platform team maintains a large CDK application (TypeScript) composed of dozens of stacks authored by multiple product teams. Governance requires that every S3 bucket in every stack must have server-side encryption enabled and every resource must carry a 'CostCenter' tag. The team wants to enforce these rules automatically at synthesis time so that non-compliant stacks fail the build, without asking each product team to modify their construct code. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 6 of 25

A DevOps team uses AWS CDK to define a multi-tier web application (VPC, ECS cluster, RDS database, and application services). They need to deploy this identical application to three separate AWS accounts (dev, staging, prod) within their organization. Each account must have its own isolated set of resources, and the team wants a single CDK codebase where the environment-specific account IDs and region are supplied at synth time, producing separate CloudFormation templates per environment. Which CDK approach best satisfies these requirements while keeping the code maintainable?

Reviewed for accuracy · Report an issue
Question 7 of 25

A team uses CDK Pipelines (the CodePipeline construct in the aws-cdk-lib/pipelines module) to deploy a multi-stage application. Developers add a new deployment stage to the pipeline definition in code and merge to the main branch. When the existing pipeline runs, they expect the new stage to appear, but they are concerned about how the pipeline picks up structural changes to its own definition. Which behavior of CDK Pipelines correctly explains how the new stage becomes part of the running pipeline?

Reviewed for accuracy · Report an issue
Question 8 of 25

A DevOps team manages a production CloudFormation stack that deploys an application tier. They need to migrate an existing manually-created DynamoDB table into this stack so it becomes CloudFormation-managed, without any downtime or data loss. The table receives constant read/write traffic. Which approach correctly brings the table under management while minimizing risk?

Reviewed for accuracy · Report an issue
Question 9 of 25

A DevOps team manages a production RDS database and its surrounding networking through a single CloudFormation stack deployed via a CodePipeline. During a routine template update that modifies the DB instance's DBInstanceIdentifier property, the team wants an automated safeguard in the pipeline that halts the deployment BEFORE any resource is replaced, so an engineer can review whether the change would destroy the existing database. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 10 of 25

A team manages an S3 bucket, an IAM role, and a DynamoDB table through a single CloudFormation stack. An engineer, bypassing the pipeline, manually edited the S3 bucket policy and added a new lifecycle rule directly in the console during an incident. The next scheduled pipeline run deploys an unrelated change (adding a CloudWatch alarm) via a change set. The team wants to ensure the manual changes are reconciled to match the template AND wants ongoing visibility when future out-of-band changes occur, without deleting or recreating any resources. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 11 of 25

A DevOps team deploys a fleet of EC2 instances using a CloudFormation template. They want the instances to install packages, write configuration files, and start services automatically at launch, with the ability to update this configuration by simply updating the CloudFormation stack. They also want a clean signal to CloudFormation indicating whether the bootstrap configuration succeeded, so a failed configuration causes the stack update to roll back. Which approach best meets these requirements using native CloudFormation capabilities?

Reviewed for accuracy · Report an issue
Question 12 of 25

A DevOps team uses AWS CDK (v2) to deploy an application consisting of a parent stack with several nested stacks. Each nested stack references Lambda functions bundled from local source code as assets. The team runs 'cdk deploy' targeting a new region (eu-west-1) for the first time, but the deployment fails immediately with an error stating that the assets cannot be published because the environment is not bootstrapped. The same application deploys successfully in us-east-1. What is the correct way to resolve this while following AWS best practices for multi-region CDK deployments?

Reviewed for accuracy · Report an issue
Question 13 of 25

A DevOps team maintains a single CloudFormation template used to deploy an application across us-east-1, eu-west-1, and ap-southeast-2. The template launches EC2 instances that must use a region-specific, hardened AMI ID owned by the security team. The AMI IDs are updated roughly once per quarter through a separate golden-AMI pipeline. Deployments are triggered via a CodePipeline that runs the same template in all three regions. The team wants the correct AMI to be selected automatically per region at deploy time, without editing the template body and without manually passing AMI IDs as parameters on each run. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 14 of 25

A DevOps team manages a production VPC, subnets, and an RDS instance that were all created manually through the AWS console over two years ago. Management now requires all infrastructure to be managed as code using CloudFormation so that changes go through the change-set review process. The team must bring these existing, live resources under CloudFormation management WITHOUT deleting them or causing any downtime to the running RDS database. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 15 of 25

A DevOps team manages a shared networking stack and multiple application stacks in the same account and region using AWS CDK. Application stacks need to reference the VPC ID and subnet IDs produced by the networking stack. Currently they use CloudFormation cross-stack exports (Fn::ImportValue). The team frequently needs to modify the networking stack's subnet configuration, but CloudFormation blocks these updates because the values are exported and consumed by other stacks. They want a decoupling approach that still keeps everything defined as code and allows the networking stack to update independently while application stacks pick up current values. What should they do?

Reviewed for accuracy · Report an issue
Question 16 of 25

A DevOps team manages a production CloudFormation stack containing a shared VPC, transit gateway attachments, and a KMS key used by multiple downstream stacks. During a recent incident, an engineer ran `aws cloudformation delete-stack` against the wrong stack name from a scripting error, and the deletion began before it was cancelled. The team wants to guarantee that no accidental or automated API call can delete this foundational stack, while still allowing normal stack UPDATE operations to proceed through their CI/CD pipeline. What should they implement?

Reviewed for accuracy · Report an issue
Question 17 of 25

A DevOps team manages a production CloudFormation stack that includes an Amazon RDS DB instance and several Lambda functions. Recent template updates have occasionally caused unexpected resource replacements, resulting in unplanned downtime. The team wants a process that lets them see exactly which resources will be added, modified, or replaced before any changes are applied, and requires an explicit approval step before execution. Which approach BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 18 of 25

A DevOps team manages a networking CloudFormation stack that uses the Outputs section with the Export field to publish a VPC ID and subnet IDs. Several application stacks consume these values using Fn::ImportValue. During a planned refactor, the team attempts to update the networking stack to remove one of the exported subnet outputs, but the stack update fails. What is the reason for the failure, and how should the team proceed?

Reviewed for accuracy · Report an issue
Question 19 of 25

A DevOps team manages a production application using a single CloudFormation stack that provisions an Amazon RDS database, an S3 bucket containing user uploads, and several stateless compute resources. During a planned refactor, the team must remove the compute resources by deleting and recreating the stack under a new name, but they cannot afford to lose the RDS data or the S3 objects. They also want CloudFormation to leave the existing database and bucket in place — without creating final snapshots that incur extra cost — when the old stack is deleted. Which approach ensures the stateful resources survive the stack deletion with the least operational risk?

Reviewed for accuracy · Report an issue
Question 20 of 25

A DevOps team manages an RDS instance using CloudFormation. Company policy prohibits storing database passwords in template parameters, plaintext, or version control. The password is already stored in AWS Secrets Manager under the secret name 'prod/rds/master'. The team wants CloudFormation to inject the password into the RDS instance's MasterUserPassword property at deploy time without ever exposing the value in the template, change set, or stack events. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 21 of 25

A platform team maintains a large CloudFormation template that provisions VPC, security, database, and application resources. The single template has grown past 500 resources and repeatedly hits the per-stack resource limit and exceeds the template body size limit during deployment. The team wants to break the template into logically separated components that are still deployed and updated together as one atomic unit, while allowing values (such as subnet IDs and security group IDs) to flow between the components without relying on cross-stack Exports that would block future refactoring. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 22 of 25

A DevOps team manages a large application using CloudFormation. They currently use a single monolithic template that provisions a VPC, an RDS database, and an ECS service. The networking team wants to update VPC subnets independently without risking the RDS or ECS resources, while the application team wants to deploy ECS changes frequently. The team decides to split the monolith. They want the VPC to be reusable by multiple unrelated application stacks that are deployed and updated on separate lifecycles, and they must avoid a situation where updating the VPC forces an update or replacement evaluation of the application stacks. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 23 of 25

A DevOps team manages a production CloudFormation stack that contains an RDS database, an EC2 Auto Scaling group, and several application resources. During routine template updates, engineers have accidentally triggered replacement of the RDS instance twice, causing outages. The team wants a mechanism that blocks updates to the database resource specifically while still allowing the rest of the stack to be updated freely through the normal pipeline, without relying on engineers remembering to add flags at deploy time. Which approach BEST satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 24 of 25

A platform team deploys a baseline security stack to 200 accounts using a service-managed CloudFormation StackSet targeting the entire organization. Recently, a bad template change caused the stack operation to succeed in the first several accounts before an IAM misconfiguration was noticed, requiring a painful manual cleanup across dozens of accounts. The team wants a way to automatically halt the StackSet operation early — before it reaches most accounts — if deployments start failing, while still allowing a small number of transient failures. Which configuration change should they make?

Reviewed for accuracy · Report an issue
Question 25 of 25

A company manages infrastructure across an AWS Organization with 200 accounts. The cloud platform team, which does not have access to the Organization management account, needs to deploy and manage service-managed CloudFormation StackSets that automatically deploy to new accounts as they join specific OUs. The security team requires that the management account not be used for day-to-day StackSet operations. How should the platform team be enabled to perform these StackSet operations?

Reviewed for accuracy · Report an issue